Library

 

Personal Information Protection Act and Records Management in Alberta

  1. Introduction
  2. Analysis
  3. Conclusion
  4. References
  5. Links

Analysis

The Personal Information Protection Act became law in Alberta on January 1, 2004. With the enactment of this legislation, the methodology by which any and all organizations that retain personal information about individuals, that collects , maintains, disseminates, protects and destroys such personal information, was directly impacted. Since then there have been further changes to the effect of PIPA on records management in Alberta with the royal assent of Bill 54, the Personal Information Protection Amendment Act on November 26, 2009, and its coming into effect on May 1, 2010.

There is much discussion as to what the Personal Information Protection Act is and subsequently, what its purpose is. During the November 4, 2009, legislative debate, the Honourable Member for Calgary-Edgemont called amendments to PIPA by way of Bill 54 “common-sense rules” for managing personal information. In addition to this, in the “Guide to Personal Information Protection Act," it is stated that PIPA “strikes a balance” between as stated by the Act the "right[s] of the individual... and the need... to collect, use, [manage, destroy], or disclose personal information for purposes that are reasonable." As an aside, personal information is defined as any information "about an identifiable individual," further examples of which can be found in the Office of the Information and Privacy Commissioner's Guide to Personal Information Protection Act.

While the previously stated qualifiers of 'common-sense rules' and 'strikes a balance' are interposed as the motivation or idea behind the development of this Act, they do not serve to simplify give the Act for RM. Nor, one would argue, does some of the language contained in the Act serve to simply its application for and by records managers. Even at a political level there is discussion over the almost ambiguous use of qualifiers and its effect for practice. Throughout the legislation and examined literature topic there are multiple uses of the term, "reasonable." By its very definition this includes the actions of "determining whether a thing or matter is reasonable" and subsequent idea of dealing with that thing "reasonably and in a reasonable manner." However, what is quite interesting about this definition is that reasonable is defined as "what a reasonable person would consider appropriate in the circumstances." This has direct implications for a record manager in that it interjects a great deal of ambiguity to its interpretation or in a more positive spin, leaves considerable freedom in the application of portions of the act.

This questioning or concern over the use of ‘qualifiers’ is echoed by the Honourable Member for Edmonton-Strathcona who sees this as a way in which businesses and hence by association, the business’ records managers, are able to “wiggle... out of their obligations.” There could be considerable debate created over the definition of qualifiers such as ‘reasonable person,’ and subsequently, ‘unauthorized access,’ and ‘significant harm,’ all of which appear in the literature of the Act. The outcomes of these lengthy discussions would have direct bearings on records management. However, it must be argued that by convention all these qualifiers, especially the idea of "reasonable" as defined in Section 2 of the Act, need to be measured as those expressed as the ideas, understanding, and convictions to the average Canadian. While this still leaves some wiggle room for records managers it also places a great deal of the responsibility on their actions. As individuals they may not have any greater understanding of what this means by definition. Nonetheless, they are required to apply it in practice to any and all documents containing personal information regardless of where those documents occur in the lifecycle of the company or business. There is further responsibility in that from a philosophical context they must account for the 'reasonable' understanding of all Canadians. Therefore, they must then develop RM policies and practices that not only follow standard practices and legislation but also exist in the mindset of, in this case, the average Albertan.

A further cautionary note to this idea with regards to Section 59 of the Act must be added. This section outlines in particular, offenses under the Act and subsequent prosecution of offences under the Act. The most significant change in this Section, under Bill 54, is the fact that it is no longer the responsibility of the Crown Prosecutor to determine the intent that an individual and/or institution willingly and knowingly committed an offence. Rather, the Prosecutor only has to provide evidence that an offence was committed under the Act. This has implications for both records managers as well as records management practices. One would argue that this puts all the responsibility on the records manager. Not only is the onus on the records manager to ensure that all records management practices of an organization are in accordance with PIPA, but there must be steps taken to ensure that there are no potential areas of accidental loss. It would appear that this is very much a guilty until proven innocent and potentially, a guilty without knowing. This idea is further reinforced by a policy brief from ARMA International that states how this removal of the 'wilful' clause means that "an organization could be in violation of PIPA, even if found to have acted unintentionally." With the advent of a $10,000 fine for individuals and a $100,000 fine for persons other than individuals for security breaches, there is the potential creation of an increased workload for Records Managers in Alberta not only to maintain current standards of practice but also to become experts in security practices. This would result in additional costs to the parent organization in both material and software for security and in personnel to train, research, implement, manage, and upgrade security practices. An additional impact for records management in this area is the fact that it is an offence to alter, falsify, dispose of, conceal, or destroy a record in order to obstruct the Commissioner during an investigation and/or after an request for information is made. While one believes that this is common sense, its addition to the Amendment Act is important.

There are other amendments to the Act that are of interest to records managers. Included in this are the policies and practices of Section 6. While previously there was only a need for organizations to develop policies and practices that strictly adhered to the legislation set out in Section 6 (1), there is now the requirement that that information be explicitly written and available to individuals should it be requested. This is especially true in the case where it concerns the use and disclosure of personal information to service providers outside of Canada. The PIPA Amendment Act Information Sheet 10 indicates that the Act was previously silent on the method of communicating information related to an organizations policies and practices. Presumably from this statement, records management organizations under PIPA were required to make this information available although it is unclear as to what format. One would suggest that it is possible that some records management organizations already had this information written in some form either for their own internal use and/or in response to requests made. However, there is an equally strong possibility that many did not, and they only responded to requests as they were made. As a result of this particular amendment, records managers should feel the urgent need to develop and maintain additional documents related to their particular policies and practices, and to ensure that this information is current not only to PIPA but also to their own practice.

This documentation will also need to be appended to current document lifecycles or have their own lifecycles created for them. There is the potential for further impact to be felt in ongoing responses to requests for policy and practice information as well as responses to any and all litigation regarding the policy and practice documentation. In addition to this, there is further bearing on the matter when one includes amendments to Section 28. This amendment outlines the fact that failure to respond to written requests within the timeframe allotted is tantamount to a refusal and is called "deemed" refusal. Refusals have the potential for further investigation of an organization's records management practices and documentation by the Commissioner and quite possibly, litigation.

As was alluded to earlier, there have been important amendments to the Act that impact records management when an organization uses an outside service provider. Section 6 has been referenced with regards to the development of policies and practices in conjunction with PIPA. Section 13 has new notification requirements to individuals for any and all use, collection, or disclosure of their personal information to service providers outside Canada. The Personal Information Protection Act Information Sheet 12 calls these amendments a way to "foster openness and accountability in private-sector organizations." One would argue for records management organizations that this is almost a required prior provision of access. Rather than providing access to information after it has been requested, access to or rather the information itself, is provided before it is requested in what is called 'routine disclosure.'

The potential impact on records managers in Alberta is an increase in workload to include proactive access to all persons with personal information held in their repository rather than responsive access to only those persons seeking it. Additionally, there is a side issue not openly addressed in the Act; i.e., the use of service providers from outside Canada itself has an impact for records management in Alberta. Not only will records managers have to know and apply the principles of PIPA to records in Alberta, but they will also have to ensure that these standards are maintained to some degree by the outside service provider through contractual obligation.

Records management in Alberta is further impacted by a change to the definition of 'employee' and 'personal employee information' as seen in Section 1(1)(e) of the Act. Amendments now include anyone who "performs a service" as a partner or a director or officer. In this case, the impact is rather light as the inclusion of personal information about these individuals is simply the addition of documents into the current lifecycle. Even though there is no specific documentation to demonstrate this, one would speculate that much of this personal information about service partners, directors, or officers of an organization is already held by the institution. Where there is a more significant impact is in the change in the definition of 'personal employee information' that now includes "potential, current or former employees." It is a most interesting idea that personal employee information has been amended to now include 'potential' employees. One question that arises is: Who now is determined to be a potential employee? Does this include only those persons recruited by the organization? Does it also include all personal information received from individuals through cold calls and unsolicited resumes?

The Act itself is silent on the definition of potential employees. Unsolicited resumes, for example, could be considered transitory documents by an organization. For example, in the Official and Transitory Records: A Guide for Government of Alberta Employees, unsolicited material from individuals advertising their services may be kept for a period but are regularly destroyed. It is recognized however, that the destruction of such records is suspended during litigation and/or investigation from the Commissioner. It would appear now that with the amendment to PIPA there must be an account of all documents containing any identifiable personal information. It could be suggested then that there is the potential challenge for records managers in that they will be required to be more diligent in their retention and destruction of transitory personal information of potential employees. As noted in the previously mentioned Guide, one would suggest that to it is important also for records managers to err on the side of caution in their application of PIPA. This has direct impact in records management as it means increased cost in both personnel and activity as one could consider this additional potential personal employee information to be a part of the greater documentation and requiring its own management, retention, and destruction schedule.

There are within Bill 54, the Amendment Act, several important changes for records management in Alberta specifically related to retention and destruction. Included in this is Section 35 (1) which outlines that a record 'may' be retained only as long as is 'reasonable' for legal of business purposes. Similarly, Section 35(2) outlines that a record 'must' be destroyed or rendered non-identifying within a 'reasonable' time after it is no longer required. Again these sections use qualifiers, that, as discussed previously, can be unclear in their extent for records managers. However, what is most interesting is the use of the words 'may' and 'must' in the language. The use of these auxiliary verbs impacts how the Act is applied to records management and how it is interpreted by others. In this case "may" generally means discretion and "must" means duty. There is no specific indication of length of time for retention only what is 'reasonable.' Thus, RM is afforded a certain freedom. Yet one could argue that the use of 'must' for destruction purposes could cause a problem for records that are to be kept beyond reasonable business use in some form of archives. The word, 'may,' would imply a possibility of choice. However, the word, 'must,' would indicate no choice at all. If this is the case, records managers are without options, and much of their work will be directly impacted. A further point that is unclear from the Act is whether or not, one must only destroy personal information or "render... information non-identifying" if the information and subsequent records are to be transferred to archives. Section4 (j) only identifies the scope of application for records transferred prior to enforcement of the Act or after enforcement with a prior agreement. The literature similarly gives no indication if this is the case. One would speculate that records containing personal information transferred to archives after the enforcement of the Act are subject to PIPA. However, records managers and/or archivists would have to seek additional legal council on this issue.

One part of the retention schedule that is quite clear from the Act, and one that can greatly assist records managers, is that of Section 42 (2) that states that all records related to an investigation must be kept for a period of one year after the end of the investigation or for a time outlined by the Commissioner. This amendment is in conjunction with changes to the length of time in which an investigation must be completed. Previously, the Commissioner was to complete an investigation within 90 days, but this has now been extended to one year. There has also been an extension in the length of time in which there can be a prosecution under the Act which can occur anytime within two years of an alleged commission of an offence. This impacts records management in regards to retention in that, although records are only required to be kept for one year after an investigation, it may be in the best interests of the organization to keep them for at least two years.

Created by Anthony Worman for LIS 594: Records Management at the School of Library and Information Studies, University of Alberta.

Website created to meet the the requirements of LIS600: Capping Exercise.

Contact: worman(at)ualberta(dot)ca

Last Updated - March 3, 2011